It was thus said that the Great - - once stated:
>
> Hi,
>
> I am recently set-up an environment for testing client certificate based
> authentication on an apache webserver. The test environment is a recent Ubuntu
> 8.10 distro with tinyca2 0.7.5 and apache 2.2.9. I have setup a test root CA,
> two certificates signed by this CA: One for the webserver and one for the user.
> Everything done by tinyca2. First I configured apache to allow only
> ssl-connections (no client certificates yet): Everything worked so far: /var/www
> is only accessible via https. Now I added a new subdirectory /var/www/secret
> with a dummy index.html which should only be accessible by users which provide a
> certificate. So I added this to my sites-enabled/foo.conf:
>
> ...
> SSLVerifyClient none
> ...
>
> SSLVerifyClient require
> SSLVerifyDepth 2
> SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> and %{SSL_CLIENT_S_DN_CN} eq "My name in CN of certificate" )
>
>
> What I expected was: outside of /var/www/secret (i.e. in /var/www or
> /var/www/public) documents are accessible by everyone, only inside of
> /var/www/secret a user needs to provide his certificate.
> What I got was: apache asks for the users certificate no matter which document
> is reqested (i.e. inside AND outside of /var/www/secret).
>
> I used http://www.garex.net/apache/ as How-to.
> Any hints?
Here is the configuration I'm using that works:
<VirtualHost 66.252.224.242:80>
ServerName secure.conman.org
ServerAdmin sean@xxxxxxxxxx
DocumentRoot /home/spc/web/sites/secure.conman.org/htdocs
ScriptAlias /cgin-bin/ /home/spc/web/sites/secure.conman.org/cgi-bin/
CustomLog /home/spc/web/logs/secure.conman.org combined
UseCanonicalName on
AddType text/plain .pem
<Directory /home/spc/web/sites/secure.conman.org/htdocs>
Options All
AllowOverride None
</Directory>
</VirtualHost>
<VirtualHost 66.252.224.242:443>
ServerName secure.conman.org
ServerAdmin sean@xxxxxxxxxx
DocumentRoot /home/spc/web/sites/secure.conman.org/s-htdocs
ScriptAlias /cgi-bin/ /home/spc/web/sites/secure.conman.org/cgi-bin/
CustomLog /home/spc/web/logs/s-secure.conman.org sslcombined
UseCanonicalName on
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP
SSLProtocol all -SSLv2
SSLCertificateFile /home/spc/web/sites/secure.conman.org/server.crt
SSLCertificateKeyFile /home/spc/web/sites/secure.conman.org/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory /home/spc/web/sites/secure.conman.org/cgi-bin>
Options -Indexes
SSLOptions +StdEnvVars
</Directory>
<Directory /home/spc/web/sites/secure.conman.org/s-htdocs>
Options All
AllowOverride None
</Directory>
<Directory /home/spc/web/sites/secure.conman.org/s-htdocs/library>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Conman Laboratories" \
and %{SSL_CLIENT_S_DN_OU} eq "Clients"
SSLVerifyClient require
SSLVerifyDepth 10
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
The only thing not here is the following (which is in another part of the
configuration file):
SSLCACertificateFile /etc/httpd/conf/ssl.calist
That file contains the CA Certificate (of my self-created CA) so Apache
can authenticate the client certificates. I used TinyCA to create all the
appropriate certificates. I did pull a bunch of settings from the ssl
portion of the default configuration and put them here so I had everything
in one place for easy testing.
-spc
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|